Shutdown: Clear virtual memory pagefile

bbf7d8e7-9ffe-4643-8910-55c5a6f9f824

Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file.

IMPORTANT NOTE: Clearing the page file will secure delete information on the temporary page file. This process takes time depending on page file size and drive speed. On a very large memory server with slow disk access, could take 20 to 30 minutes. This only affects a planned server shutdown, it won't process on a "not planned" shutdown or emergency shutdown.

Remediation

  • Run gpedit.msc (or run Group Policy Editor from your Domain Controller and add or edit a Group Policy)
  • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options on the left panel
  • In the right panel, find and double-click on the Shutdown: Clear virtual memory page file policy
  • In the policy settings window, select the Enabled radio option, and then click on the OK button to save the changes
  • If you set the policy from a Domain Controller, you can run gpupdate from a command prompt on a workstation/server to pull the updated policy
  • Restart your computer for the changes to take effect

More Info: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile



bestpractice-server
server